# -*- coding: utf-8 -*- # # Copyright (C) 2018 Branko Majic # # This file is part of Gimmecert. # # Gimmecert is free software: you can redistribute it and/or modify it # under the terms of the GNU General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) any # later version. # # Gimmecert is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more # details. # # You should have received a copy of the GNU General Public License along with # Gimmecert. If not, see . # import sys from .base import run_command def test_server_command_available_with_help(): # John has finally finished initialising his CA hierarchy. What he # wants to do now is to issue a server certificate. He starts off # by having a look at the list of available commands. stdout, stderr, exit_code = run_command("gimmecert") # Looking at output, John notices the server command. assert exit_code == 0 assert stderr == "" assert "server" in stdout # He goes ahead and has a look at the server command invocation to # check what kind of parameters he might need to provide. stdout, stderr, exit_code = run_command("gimmecert", "server", "-h") # John can see that the command accepts an entity name, and an # optional list of DNS subject alternative names. assert exit_code == 0 assert stderr == "" assert stdout.startswith("usage: gimmecert server") # Help output for nargs="*" got changed in Python 3.9. See # https://bugs.python.org/issue38438 for details. if sys.version_info.major == 3 and sys.version_info.minor < 9: assert " entity_name [dns_name [dns_name ...]]" in stdout else: assert " entity_name [dns_name ...]" in stdout def test_server_command_requires_initialised_hierarchy(tmpdir): # John is about to issue a server certificate. He switches to his # project directory. tmpdir.chdir() # John tries to issue a server certificate. stdout, stderr, exit_code = run_command("gimmecert", "server", "myserver") # Unfortunately, John has forgotten to initialise the CA hierarchy # from within this directory, and is instead presented with an # error. assert stdout == "" assert stderr == "CA hierarchy must be initialised prior to issuing server certificates. Run the gimmecert init command first.\n" assert exit_code != 0 def test_server_command_issues_server_certificate(tmpdir): # John is about to issue a server certificate. He switches to his # project directory, and initialises the CA hierarchy there. tmpdir.chdir() run_command("gimmecert", "init") # He then runs command for issuing a server certificate. stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver') # John notices that the command has run without an error, and that # it has printed out path to the private key and certificate. assert stderr == "" assert exit_code == 0 assert "Server certificate issued." in stdout assert ".gimmecert/server/myserver.key.pem" in stdout assert ".gimmecert/server/myserver.cert.pem" in stdout # John has a look at the generated private key using the OpenSSL # CLI. stdout, stderr, exit_code = run_command('openssl', 'rsa', '-noout', '-text', '-in', '.gimmecert/server/myserver.key.pem') # No errors are reported, and John is able to see some details # about the generated key. assert exit_code == 0 assert stderr == "" assert "Private-Key: (2048 bit)" in stdout # John then has a look at the generated certificate file. stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver.cert.pem') # Once again, there are no errors, and he can see some details # about the certificate. assert exit_code == 0 assert stderr == "" assert 'Certificate:' in stdout # He notices that the certificate includes the provided entity # name as DNS subject alternative name. assert "DNS:myserver\n" in stdout # John has a quick look at issuer and subject DN stored in # certificate. issuer_dn, _, _ = run_command('openssl', 'x509', '-noout', '-issuer', '-in', '.gimmecert/server/myserver.cert.pem') subject_dn, _, _ = run_command('openssl', 'x509', '-noout', '-subject', '-in', '.gimmecert/server/myserver.cert.pem') issuer_dn = issuer_dn.replace('issuer=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1) # OpenSSL 1.0 vs 1.1 formatting subject_dn = subject_dn.replace('subject=', '', 1).rstrip().replace(' /CN=', 'CN = ', 1) # OpenSSL 1.0 vs 1.1 formatting # He notices the issuer DN is as expected based on the directory # name, and that server certificate subject DN simply has CN field # with the name he provided earlier. assert issuer_dn == "CN = %s Level 1 CA" % tmpdir.basename assert subject_dn == "CN = myserver" # John takes a look at certificate purpose, since he wants to # ensure it is a proper TLS server certificate. stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-purpose', '-in', '.gimmecert/server/myserver.cert.pem') # He verifies that the provided certificate has correct purpose. assert "SSL server : Yes" in stdout assert "SSL server CA : No" in stdout assert "SSL client : No" in stdout assert "SSL client CA : No" in stdout # Finally, he decides to check if the certificate can be verified # using the CA certificate chain. _, _, error_code = run_command( "openssl", "verify", "-CAfile", ".gimmecert/ca/chain-full.cert.pem", ".gimmecert/server/myserver.cert.pem" ) # He is happy to see that verification succeeds. assert error_code == 0 def test_server_command_issues_server_certificate_with_additional_subject_alternative_names(tmpdir): # John wants to issue a server certificate that will include a # number of additional DNS subject alternative names. He switches # to his project directory, and initialises the CA hierarchy # there. tmpdir.chdir() run_command("gimmecert", "init") # He then runs command for issuing a server certificate, providing # additional DNS subject alternative names.. stdout, stderr, exit_code = run_command('gimmecert', 'server', 'myserver', 'myserver.local', 'myserver.example.com') # The command finishes without any errors being reported. assert stderr == "" assert exit_code == 0 # John then a look at generated certificate file. stdout, stderr, exit_code = run_command('openssl', 'x509', '-noout', '-text', '-in', '.gimmecert/server/myserver.cert.pem') # No errors are reported, and he notices that the provided subject # alternative names have been included in the certificate in # addition to default one based on the server entity name. assert exit_code == 0 assert stderr == "" assert "DNS:myserver," in stdout assert "DNS:myserver.local," in stdout assert "DNS:myserver.example.com\n" in stdout def test_server_command_does_not_overwrite_existing_artifacts(tmpdir): # John has become an avid user of Gimmecert. He uses it in a lot # of projects, including one specific project which he had set-up # a couple of months ago, where he has issued some server # certificate. tmpdir.chdir() run_command("gimmecert", "init") run_command("gimmecert", "server", "myserver") private_key = tmpdir.join(".gimmecert", "server", "myserver.key.pem").read() certificate = tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read() # After a couple of months of inactivity on that particular # project, John is again asked to do something in relation to # it. He recalls that he needed to issue a server certificate for # it, so he goes ahead and tries to do it again. tmpdir.chdir() stdout, stderr, exit_code = run_command("gimmecert", "server", "myserver") # John realizes in last moment, just as he presses ENTER, that he # had issued certificate already. He wonders if he'd need to # redeploy it again now, though. To his (small) relief, he # realizes is it not necessary, since the tool has refused to # overwrite the old key and certificate. Instead he is presented # with an error notifying him that the certificate has already # been issued. assert exit_code != 0 assert stderr == "Refusing to overwrite existing data. Certificate has already been issued for server myserver.\n" assert stdout == "" # John double-checks (just to be on the safe side), and can see # that both the private key and certificate have been left # unchanged. assert tmpdir.join(".gimmecert", "server", "myserver.key.pem").read() == private_key assert tmpdir.join(".gimmecert", "server", "myserver.cert.pem").read() == certificate